The ID Document Is Dead. The Industry Just Hasn’t Buried It Yet.

Open a bank account online today, and you will almost certainly be asked to do the same thing you were asked to do a decade ago. Hold up your driver’s license, take a selfie, and wait. It felt like magic in 2016. Today, it feels like a liability, because the one thing AI has gotten frighteningly good at is faking a picture of a document and a picture of a face.
I spent the past few weeks talking with people who think about identity for a living, across three continents, and reached a clear conclusion. The era of verifying paper documents is ending. The harder question is what replaces it, and how long the messy middle drags on.
The document was always a workaround
Start with what document verification actually is. We took a physical artifact designed for a human to eyeball, photographed it, and asked software to decide if the photo was real. That was never the destination. It was a bridge.
Victoria Richardson, a partner at the Australia-based identity consultancy ID Partners, has watched this market longer than almost anyone, and she does not soften it. When I put my thesis to her that document-centric verification is under threat, she didn’t blink. “100% agree, as they say a hard agree on that,” she told me. The companies that built this industry were solving a paperwork problem that is now disappearing. “The value that they added is they took your paper based document and they digitized it,” she said. The issuers are starting to do that themselves.
Brian Hughes, who advises banks on fraud at BCG and sits as an advisor to SentiLink, frames the document as one input among many, and not a favored one. “We’re relying on a collection of data points, largely gathered passively because there’s a low tolerance for friction among consumers,” he told me. In his model, there are roughly ten signals worth consulting, from email age to phone carrier data to device intelligence. The document is just one of them, and an expensive one. “Documents are usually only consulted as a step up because it does create so much friction,” Hughes said. We lean on documents not because they are the strongest signal, but because they are the ones customers expect.
The attackers industrialized. We didn’t.
Here is what changed, and why the bridge is now on fire. Fraud used to be a craft. Now it is a factory.
Hal Lonas, the CTO of Trulioo and a twenty-year cybersecurity veteran, put it in terms I keep thinking about. “In the past we’ve tended to see and think about these hackers as artists, kind of producing one-off artwork,” he said. “And I think what we see now is AI factories, in the industrialized world, to crank out hundreds and thousands of attacks in a short amount of time.” The numbers back him up. Lonas noted that some US financial institutions now see “20% of new applications as fakes and frauds.” One in five.
The mechanics have shifted too. Deepanker Saxena, who leads document verification, biometrics, and reusable identity products at Socure, walked me through it. “The fraud vectors used to be more on presentation attacks,” he said, meaning a printed fake held up to a camera. “But that has moved now to more of injection attacks. They are creating them digitally and presenting them digitally now to the cameras.” Lonas described the same threat from the defender’s side. “The bad guys have figured out how to inject into the stream of data coming back from the camera,” he said. “They’re actually injecting right into the network.”
And the raw material has never been cheaper. Saxena has tested the tools himself. “Now you can take the headshot, put a prompt, and you have a selfie,” he said. The painstaking Photoshop work that used to gate this fraud is gone, and when the cost of a convincing fake collapses, attackers stop being selective. “When you have a lower cost of fraud, you’re going to try 10 different things at the same time and see which one breaks,” Saxena said.
You can no longer trust your own eyes
If documents and selfies can be conjured from a text prompt, then the entire visual layer of verification is compromised. Saxena said it as bluntly as anyone could. “Anything that is just visual, you can’t believe anything that you see anymore.”
Dave Birch, the British commentator behind the “Identity Is the New Money” newsletter, gave me the cleanest articulation of the way out. The problem is not that fakes exist. It is that we are still fighting them on the wrong battlefield. “I can make a fake video of Brad Pitt, it’s really not that complicated,” Birch said. “I can’t make a fake digital signature of Brad Pitt because that’s not how maths works.” That single sentence reframes the whole debate. Pixels can be forged. Cryptography cannot. And we have had the cryptography for decades. “We already know what we need to do, which is to actually implement the cryptography that we’ve had for years but don’t use,” Birch told me.
He is scathing about the alternative, which is throwing better AI at the problem. “Using AI to detect these frauds, that’s a red queen’s race, that’s never going to work,” he said. Your model improves, theirs improves, nobody wins. Birch wants the security baked into the hardware and made invisible to the user, the way seat belts are. “You don’t sell people cars and say you really ought to have a seat belt,” he said. “We just say sorry, you can’t buy a car without seat belts.”
What actually replaces the document
The good news, and it genuinely surprised me how much of it there is, is that the replacement already exists. It is the verifiable digital credential, and the reason it works is that the people who issue your identity are going digital first.
Richardson laid out the shift in plain terms. “The process of checking identity becomes much more about cryptography,” she said. Governments are starting to issue what she calls digitally verifiable credentials, built to shared global standards like the ISO mobile driving license. When a bank clerk checks one in branch, they are not squinting at a photo. “Customers can just tap their phone or scan a QR code,” she said. The signature on that credential can be traced back to the issuing authority through public key infrastructure, which means a spoofed image gets you nowhere.
Saxena described the same destination from the commercial side, through what Socure calls reusable identity. Verify someone once, bind that verified identity to their device and biometrics, and you never have to ask for the document again. “That reduces a big attack vector now, because you don’t have to present a document,” he said. “The second you bring in the document again to the picture, you’re exposing yourself again to another attack.” His team is also leaning on signals that no prompt can fake, like the physics of how a real human holds a phone. “If you try to go down that path of just understanding the physics of how this process works, instead of going to the biology of it,” he said. “You build defenses that survive the next model release.”
Hughes put the strategic direction in four words. “The future is reusability,” he told me. Verify once, trust many times, and stop making every institution redo the same fakeable work.
The technology is here. We’re just not using it.
So why does opening an account still feel like 2016? Because the rails exist and almost nobody is riding them. I have had a mobile driver’s license on my phone in Colorado for years, and I have used it exactly nowhere.
Lonas, in California, has the same experience. “We have the technology, but it’s not being used,” he said. Birch finds this genuinely maddening. “If I was a bank, that would be the first thing I’d ask for,” he said of the mobile driving license. “That would solve so many problems.” His patience for the industry’s hand-wringing about AI is thin, and he has the perfect example. A sanctioned Russian warlord, he reminded me, “passed his KYC checks in London using his mother’s gas bill from St Petersburg. So before anybody in a bank starts lecturing me about AI identities, come on.”
Richardson sees a market that is actually moving, just not evenly. In Australia, Commonwealth Bank already lets new customers onboard by reading the chip in their passport, and banks there are running trials of the mobile driving license, with infrastructure rebuilt to accept these credentials by default because regulation increasingly demands it.
What I keep coming back to
Here is the thing that reframed this whole story for me. The move off documents is not really being driven by a better mousetrap. It is being driven by fear. Richardson named the forcing function directly. “If we know that identity verification wasn’t great, the pressure for the banks to do something about it is AI,” she said. The threat is AI, and so is the opportunity, because no bank wants to be the one whose front door an AI agent walks through unrecognized. We know that is coming, but that is a conversation for another day.
The technology to kill the document is sitting in your pocket. The cryptography is decades old, the standards are written, the early movers are live. What is missing is not capability, it is will, and AI is about to supply it whether the industry is ready or not. The banks that rebuild around verifiable credentials in the next two years will quietly stop worrying about deepfakes. The ones still asking you to hold up your license to a camera will be explaining to their boards why the fraud numbers keep climbing.